After getting AWS Cognito token, how can I have access to another aws resource?

Question

I am developing an asp.net core application and I could authenticate finely using AWS SDK, now as I have a token session object I would like to know how can I use the AccessToken to gain access to other AWS resources. I have tried some AWS docs, but I could not find any help.

Answer 1

You've authenticated by using a User Pool to convert user credentials (username and password) to an auth token. The auth token serves as an indication that your user is a member of the given User Pool.

The next step is to convert the auth token to AWS credentials, the keys necessary to tell an arbitrary AWS service that you are allowed to access it. (These credentials are tied to a specific IAM user or role). To do that, you have to use an Identity Pool. An identity pool handles exactly the transition from an authenticated user (represented by an auth token) to AWS credentials.

Check out Accessing AWS Services Using an Identity Pool After Sign-in, and Getting Credentials. The latter has more specific code examples.

The recommended way to obtain AWS credentials for your app users is to use AWS.CognitoIdentityCredentials. The identity in the credentials object is then exchanged for credentials using AWS STS.

What this means is that the CognitoIdentityCredentials represents the exchange functionality of an Identity Pool. The latter part, via STS, is handled automatically by this object.

Note that in order for this to happen, you need to set up an Identity Pool, and tell it to use the existing User Pool as its source of authentication. You will also tell it which IAM user or role to associate with the users in that User Pool. Then, when a user asks the Identity Pool for credentials, those credentials represent the permissions granted to that IAM user or role.